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The Internet's 
Vulnerabilities Are Built 
Into its Infrastructure 


» rotection of the Global Information Grid now has 

- evolved into global asymmetric warfare. Engag- 

ing in this combat is the principal mission of the 

U.S. Cyber Command because the infrastructure 

of the Internet is fundamen- 

tally insecure, and the U.S. 

Defense Department depends increas- 
ingly on this cyber highway to function. 

There are tens of thousands of 
defenders of the Internet infrastructure who must be vi; 
lant around the clock, everywhere. Meanwhile, small teams 
of attackers can strike undetected whenever they choose, 
from wherever they may be in the world, This is why the 
contests between the defenders and the aggressors meet the 
definition of asymmetric warfare in its extreme form. 

The reasons for the intrinsic vulnerability of the Internet 
can be found in the engineering of its switches, routers and 
network connections, which are owned by the Internet Ser- 
vice Providers (ISPs) and by the communication carriers. 
These flaws are pervasive, They were embedded 40 years 
ago when Internet protocols (IPs) were conceived. 

Attacks from software bugs and computer viruses target 
computer devices such as servers, firewalls, desktops, lap- 
tops and smart phones. The government owns many such 
devices. Attacks include gaining unauthorized access, deni- 
al of service, malicious code insertion or password crack- 
ing, Hackers and other cyber criminals employ the Internet 
as a delivery means. Such attacks have a limited scope and 
therefore are seen as carrying geographically containable 
security 

More serious vulnerabilities can result from malfunc- 
tions in the Internet infrastructure. This includes connec- 
tions to ISPs via points of presence, or POPs. They also 
include local area networks (LANs), wide area networks 
(WANs) and the switches that aggregate traffic. Malfunc- 
tions could occur in the high bandwidth infrastructure for 
traffic between the ISPs and network access point (NAPs). 
This includes the backbone interconnections among the 
NAPs. Therefore, the attack scenarios on the Internet infra- 
structure concentrate on its switches and routers. 

Internet switches are intelligent network components 
with a wide-ranging set of software-defined services. These 
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Attackers concentrate on 
switches and routers when 
they strike at the network. 


OSI Model 


layers 


data unit 


The open systems interconnection model layered 
approach, shown in this table, allows each subordinate, 
interdependent layer to provide services to the next 
higher layer as transactions are converted from lower 
to higher abstraction levels. Each layer, sending 
messages as binary bits, is interdependent; if a layer is 
compromised, the other layers will not know, causing 
Global Information Grid communications to cease. 
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services are remotely maintained and upgraded in real 
time. They also generate remote diagnostics for control 
locations, which is one of their weak links. 

The datalink layer is next to the bottom of the open sys- 
tems interconnection (OSI) model. It suffers from gaping 
holes that can be exploited. The usual attack consists of alter- 
ing the manufacturer's code in the switches. A number of 
major attack categories exist. 

Flooding attacks use tools that can generate more than 
100,000 bogus entries per minute. This tactic overloads the 
switch so that it malfunctions. 

Address resolution spoofing allows an attacker to sniff the 
data flowing to a LAN. The traffic either is modified or a 
denial-of-service condition is created. 

The man-in-the-middle attack adds a third-party destina- 
tion without the legitimate recipients being aware. The third 
party can extract passwords and confidential data. During a 
denial-of-service attack, the switch will not deliver packets 
and will time out, stopping all traffic. 

The switch hijacking attack injects illegitimate connections 
that will pretend to be authentic. The added connections will 
take over control without the recipients being aware. 

The spanning tree attack allows the inclusion of spare links 
as backup paths. Communications are then rerouted. 

In a root claim attack, bogus bridge protocols are used to 


designate the attacker's station as the new root bridge. Once 
in control, a variety of malicious attacks can be launched. 

The forcing eternal root election attack makes the network 
unstable by tampering with the routing algorithm to keep 
searching for the root switch, without ever finding it. 

Another tactic is the virtual LAN, or VLAN, hopping 
attack. Subdivision into different LANs will be compromised 
if an attacker manages to send messages to the wrong links. 
When LANs support separately the Non-secure Internet Pro- 
tocol Router Network and the Secret Internet Protocol Router 
Network, one of them can be used to initiate a denial-of-ser- 
vice attack on the other. 

Routers are another major point of vulnerability on the Inter- 
net. ISPs and NAPs are connected through intermediate net- 
work devices known as routers. A router is a special-purpose, 
dedicated computer that makes connections when it receives a 
transmission from one of its incoming links, makes a routing 
decision and forwards the packet to one of its outgoing links. 
The routing decision is made based on the current state of the 
connecting links, as well as on the priorities that have been 
assigned to the various links in order to make selection of the 
next connection efficient. Each router uses a routing table to 
keep track of the path taken to the next network destination. 
Consequently, routing tables will never remain static but will 
change dynamically as conditions change in real time. 
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The management of routing tables must be automated for 
instant adaptation and for assuming additional functions, 
such as performing security operations in which reverse path 
verification is feasible. In this technique, the router looks up 
the source address of a message. If no route back to the source 
address exists, the packet is assumed to be malformed or 
involved in a network attack, and is dropped. 

When a router receives an incoming packet, it passes it to 
the next router, defined as a “hop” to which the packet should 
be forwarded. The next router then repeats this process, and 
so on until the packet reaches its final destination. While the 
packets travel, they are vulnerable if an attacker is able to tam- 
per with the router's software. 

To attack routers requires information on how the network 
is configured and where the routers are located. One approach 
is to find the default IP values, which specify the destination 
addresses on a network path. Another way is to use one of 
the numerous commercial trace route software programs. The 
trace route tracks a packet from all computers on a delivery 
path and reports all the router hops along the way. In this way 
the network topology is discovered. 

There are a number of principal ways to compromise rout- 
ers. Promiscuous mode corruption involves a promiscuous 
router, which can monitor and redirect traffic to and from 
other routers, The router will pass all traffic it receives in a 
random sequence. This happens when an attacker can mas- 
querade as a “super-user” with software control privileges. 
Many router operating systems make super-user privileges 
available for maintenance or for software updating reasons. 

In router table attacks, an attacker creates messages that 
look legitimate, and then they can be inserted into the rout- 
ing table. 

During router information attacks, “route poisoning” is used 
to prevent routing loops within networks. A hop count will 
indicate to other routers that a route no longer is reachable and 
should be removed from their respective routing tables. The 
desired destination for packets will cease to function. 

Another tactic is the shortest path attack. Each router passes 
the status of its links to its neighbors, which in turn forward 
this information to other routers in the network. As a result of 
such passing, each router has the link information for all other 
routers and eventually has the picture of the entire network 
topology. In a compromised table, the calculated shortest 
paths will be incorrect, and the shortest path will be purged. 

Border gateway attacks exploit the fact that the border 
gateway protocol does not ensure data integrity and does not 
provide source authentication. This protocol is the core routing 
protocol of the Internet, but it can be tampered with. 

Border gateway poisoning makes use of router vulner- 
abilities. Various attacks can be launched to compromise the 
routing. A special case is the “Black Hole” attack in which 
the router directs a packet to a network where packets enter 
but do not come out. 

The Internet infrastructure consists of a web of links that 
connect devices—switches and routers—that have the logi- 
cal capability to keep redirecting traffic as it travels from 
origin to destination. The design of the Internet was to engi- 
neer this connectivity at the lowest cost possible to central 
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organizations, such as telecommunications carriers, while 
making tradeoffs that did not favor security. The original 
engineering of the Internet left it to other remedies, such as 
virus protection software and firewall equipment, to provide 
local security assurance. 

With the emerging threats of cyberattacks, one can ques- 
tion whether retaining the existing tradeoffs between spend- 
ing less on the Internet infrastructure and then boosting 
investments on local protection remains the best way for 
defending military networks. 

Internet communications can be seen as the passage of 
messages through layers of OSI protocols, as a transaction 
progresses from entry into an Internet switch until it arrives 
at its termination on the user’s end, The OSI model defines 
the entire path of an IP packet. OSI describes the standards 
that specify the electrical protocols to which all transac- 
tions must conform. This approach defines the processing of 
transactions into seven layers, From top to bottom they are 
the application, presentation, session, transport, network, 
datalink and physical layers. 

The OSI layered approach makes it possible for each sub- 
ordinate layer to provide services to the next higher layer 
as a transaction is converted from lower to higher levels of 
abstraction. All of these abstractions travel from layer to layer 
as a series of binary bits because that is the only way micro- 
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processors can handle the passage of a message as it traverses 
from layer to layer. All of the layers are interdependent; if the 
datalink or the network layers are compromised, any of the 
other layers will not be aware of this and communications on 
the Global Information Grid, or GIG, could cease to function, 
Masquerading by the attacker, in many forms, is the root 
cause for Internet infrastructure attacks, The attacker either 
spoofs or disguises information, which then is inserted into 
switches and routers. When that happens, the network is com- 


promised and can be fixed only through actions that mitigate 
the intrinsic Internet defects. 

The remedy for all the masquerading is the authentica- 
tion of transactions as well as the vigilance of the opera- 
tors in the network operating centers to counter attackers’ 
disguises. Though the fundamental protocols of the Internet 
remain insecure, preventive measures can be taken provid- 
ed that the thousands of defenders are better organized than 
the people who are waging the attacks. 

Defending the Internet infrastruc- 
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ture is an unequal contest. The attack- 
ers benefit from millions of local 
failures because they can gain knowl- 
edge every time they learn about the 
defenders. The aggressors do not need 
much money because they use the 
free Internet, and their software tools 
can be easily acquired. The tools can 
be reconfigured to adapt to changing 
conditions. The defenders meanwhile 
are tied down by the technologies that 
must cover the entire network. They are 
shackled by budgetary limitations that 
cannot flex for rapid responses because 
protective measures must cover mil- 
lions of potential points of exposure. 
This is why the defenders must rely on 
superior organization and on human 
intelligence for rapid responses to 
unexpected threats after their techno- 
logical means become insufficient. 

The security of the Internet remains 
the most advanced form of asymmet- 
ric arms race. Improved countermea- 
sures by thousands of defenders have 
to compete against the new schemes 
devised by a handful of unconven- 
tional attackers to corrupt the Internet. 
This contest takes place not only in 
the form of technological countermea- 
sures, but also in the form of superior 
competence of the defenders to main- 
tain operations without error, negli- 
gence or acts of omission, 

People must accept that the Inter- 
net infrastructure is faulty and will 
remain so for the foreseeable future, It 
will take an exceptional Cyber Com- 
mand, staffed by exceptional person- 
nel, to safeguard U.S. military inter- 
ests against failure that could have 
devastating consequences. 
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